Tag: security

Working With ACLs In ServiceNow

 

ACLs or Access Control Lists are the process by which ServiceNow provides granular security for its data and can be applied to individual records, as well as fields within those records.

When working with ACLs, it is extremely important to note that the order in which an ACL definition is evaluated has performance implications.

These are:

  1. Roles
  2. Criteria
  3. Script

 

ROLES: FASTEST

Roles will evaluate extremely fast as they are cached in server memory, so using roles is always highly recommended.

CRITERIA: FAST

Conditions are based on values in the current record and will evaluate quickly, but only after the role has been checked.

Although you can have complex criteria using dot-walking (“Show related records”) these will incur a performance overhead as ServiceNow needs to load the related records.

In this example, the criteria is based on the company of the assigned person for that record, requiring ServiceNow to load TWO additional records to evaluate.

Remember, performance does not scale in a linear fashion.

Although criteria like this may seem blisteringly fast when looking at a single record in a development environment, it will be much slower in production as lots of people access records—and particularly if it is applied to a READ rule in a list view as the criteria has to evaluate for each and every individual row being displayed (multiplying the performance overhead).


SCRIPT: SLOWEST

Although slowest here is a relative term, ACL scripts will evaluate at least slightly slower than ACL roles and ACL criteria for a number of reasons.

Scripts are often needed in ACLs, but they should always be carefully considered for performance implications.

The best practice with scripts is to have them shielded by roles and criteria. In this way, the script won’t even run unless the ACL first matches the role and then matches the criteria, potentially sidestepping a performance overhead before it occurs.

Consider the following two ACLs. Technically, they’re identical, but one will run considerably faster than the other.

Even though they’re technically identical, the second ACL will be slower because:

  • The script will be run for ALL users and not just those that have the ITIL role
  • The script will run on ALL records not just those that are active
  • ServiceNow’s JAVA layer has to invoke a Rhino Javascript engine to evaluate this script

Ideally, scripts should only be used on ACLs that already have roles and criteria to ensure they’re only running when absolutely necessary.

ServiceNow is optimised to run ACLs extremely fast, but they can introduce a performance overhead on large instances with millions of records.

JDS is experienced in optimizing ACLs and can use a variety of methods to drastically improve ACL performance. For more information, reach out to the JDS ServiceNow team.

To learn more, contact our team today on 1300 780 432, or email [email protected].

Using Splunk to look for Spectre and Meltdown security breaches

Meltdown and Spectre are two security vulnerabilities that are currently impacting millions of businesses all over the world. Since the news broke about the flaw in Intel processor chips that opened the door to once-secure information, companies have been bulking up their system security and implementing patches to prevent a breach.

Want to make sure your system is protected from the recent outbreak of Spectre and Meltdown? One of our Splunk Architects, Andy Erskine, explains one of the ways JDS can leverage Splunk Enterprise Security to check that your environment has been successfully patched.

What are Spectre and Meltdown and what do I need to do?

According to the researchers who discovered the vulnerabilities, Spectre “breaks the isolation between different applications”, which allows attackers to expose data that was previously considered secure. Meltdown “breaks the most fundamental isolation between user applications and the operating system”.

Neither type of attack requires software vulnerabilities to be carried out. Labelled “side channel attacks”, they are not solely based on operating systems as they use side channels to acquire the breached information from the memory location.

The best way to lower the risk of your business’s sensitive information being hacked is to apply the newly created software patches as soon as possible.

Identifying affected systems

Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue.

Tools such as Nessus/Tenable, Qualys, Tripwire IP360, etc. regularly scan their environments for vulnerabilities such as this and can identify affected systems by looking for the newly released patches.

Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs:

Spectre:

CVE-2017-5753: bounds check bypass

CVE-2017-5715: branch target injection

Meltdown:

CVE-2017-5754: rogue data cache load

To analyse whether your environment has been successfully patched, you would want to ingest data from these traditional vulnerability management tools and present the data in Splunk Enterprise Security.

Most of these tools have a Splunk app that brings the data in and maps to the Common Information Model. From there, you can use searches that are listed to identify the specific CVEs associated with Spectre and Meltdown.

Once the data is coming into Splunk, we can then create a search to discover and then be proactive and notify on any vulnerable instances found within your environment, and then make them a priority for patching.

Here is an example search that customers using Splunk Enterprise Security can use to identify vulnerable endpoints:

tag=vulnerability (cve=" CVE-2017-5753" OR cve=" CVE-2017-5715" OR cve=" CVE-2017-5754")
| table src cve pluginName first_found last_found last_fixed
| dedup src
| fillnull value=NOT_FIXED last_fixed
| search last_fixed=NOT_FIXED
| stats count as total

Example Dashboard Mock-Up

JDS consultants are experts in IT security and proud partners with Splunk. If you are looking for advice from the experts to implement or enhance Splunk Enterprise Security or any other Splunk solution, get in touch with us today.

Conclusion

To find out more about how JDS can help you with your security needs, contact our team today on 1300 780 432, or email [email protected].

Our team on the case

Our Splunk stories

Case Study: Netwealth bolster their security with Splunk

The prompt and decision

"As a financial services organisation, information security and system availability are core to the success of our business. With the business growing, we needed a solution that was scalable and which allowed our team to focus on high-value management tasks rather than on data collection and review."

Information security is vital to modern organisations, and particularly for those that deal in sensitive data, such as Netwealth. It is essential to actively assess software applications for security weaknesses to prevent exploitation and access by third parties, who could otherwise extract confidential and proprietary information. Security monitoring looks for abnormal behaviours and trends that could indicate a security breach.

"The continued growth of the business and the increased sophistication of threats prompted us to look for a better way to bring together our security and IT operations information and events," explains Chris Foong, Technology Infrastructure Manager at Netwealth. "Advancements in the technology available in this space over the last few years meant that a number of attractive options were available."

The first stage in Netwealth’s project was to select the right tool for the job, with several options short-listed. Each of these options was pilot tested, to establish which was the best fit to the requirements—and Splunk, with its high versatility and ease of use, was the selected solution.

The power in the solution comes from Splunk’s ability to combine multiple real-time data flows with machine learning and analysis which prioritises threats and actions, and the use of dynamic visual correlations and on-demand custom queries to more easily triage threats. Together, this empowers IT to make informed decisions.

Objective

Netwealth’s business objective was to implement a security information and event management (‘SIEM’) compliant tool to enhance management of security vulnerabilities and reporting. Their existing tool no longer met the expanding needs of the business, and so they looked to Splunk and JDS to provide a solution.

Approach

Netwealth conducted a proof of concept with various tools, and Splunk was selected. JDS Australia, as Splunk Implementation Partner, provided licensing and expertise.

IT improvements

Implementing Splunk monitoring gave Netwealth enhanced visibility over their security environment, and the movement of sensitive data through the business. This enabled them to triage security events and vulnerabilities in real time.

About Netwealth

Founded in 1999, Netwealth was established to provide astute investors and wealth professionals with a better way to invest, protect and manage their current and future wealth. As a business, Netwealth seeks to enable, educate and inspire Australians to see wealth differently and to discover a brighter future.

Netwealth offers a range of innovative portfolio administration, superannuation, retirement, investment, and managed account solutions to investors and non-institutional intermediaries including financial advisers, private clients, and high net worth firms.

Industry

Financial Services

Primary applications

  • Office365
  • Fortigate
  • IIS
  • Juniper SRX
  • Microsoft DNS
  • Microsoft AD and ADFS (Active Directory Federation Services)
  • JBoss (Java EE Application Server)
  • Fortinet

Primary software

  • Splunk Enterprise
  • Splunk Enterprise Security (application add-on)

The process

Now that Splunk had been identified as the best tool for the job, it was time to find an Implementation Partner—and that’s where JDS came in. JDS, as the most-certified Australian Splunk partner, was the natural choice. "JDS provided Splunk licensing, expertise on integrating data sources, and knowledge transfer to our internal team," says Foong.  

An agile, project managed approach was taken.  

  1. Understand the business requirements and potential threats associated with Netwealth’s environment.
  2. Identify the various services that required security monitoring.
  3. Identify the data feed for those services.
  4. Deploy and configure core Splunk.
  5. Deploy the Enterprise Security application onto Splunk.
  6. Configure the Enterprise Security application to enable features. These features gave visibility into areas of particular concern.

JDS provided Splunk licensing, expertise on integrating data sources, and knowledge transfer to our internal team.

Chris FoongTechnology Infrastructure Manager

The JDS team worked well with our team, were knowledgeable about the product, and happy to share that knowledge with our team.

JDS are professional. They delivered what they said they would, and didn’t under- or over-sell themselves. They’ve provided ongoing support and advice beyond the end of the project. We would work with them again.

The JDS difference

For this project, JDS "assisted Netwealth in deploying and configuring Splunk, and gaining confidence in Splunk Enterprise Security," explains the JDS Consultant on the case. "We were engaged as a trusted partner with Splunk, and within hours of deployment, we had helped Netwealth to gain greater visibility of the environment."

JDS were able to leverage their Splunk expertise to give added value to the client, advising them on how to gain maximum value in terms of both project staging, and in the onboarding of new applications. "We advocated a services approach—start by designing the dashboard you want, and work backwards towards the data required to build that dashboard."

"The JDS team worked well with our team, were knowledgeable about the product, and happy to share that knowledge with our team," says Netwealth’s Chris Foong. "They delivered what they said they would, and didn’t under- or over-sell themselves. We would work with them again."

End results

Chris Foong says that Netwealth was looking for "improved visibility over security and IT operations information and events, to aid in faster response and recovery"—and the project was a success on all counts.

"The project was delivered on time and to budget, and Splunk is now capturing data from all the required sources," adds Foong. "We also identified a number of additional use cases, over and above the base Enterprise Security case, such as rapidly troubleshooting performance degradation."

Now that Netwealth has implemented Splunk, the software has further applicability across the business. The next step is continuing to leverage Splunk, and JDS will be there to help.

Business Benefits

  • Gave Netwealth better visibility into the organisation’s security posture
  • Presents the opportunity for leveraging of Splunk in other areas of the business; for example, marketing
  • Allows Netwealth to have greater visibility into application and business statistics, with the potential to overlay machine learning and advanced statistical analysis of this business information

The project was certainly a success, and Splunk is working well in our environment.

Security testing—the JDS approach

What is security testing?

Security testing, also known as penetration or vulnerability testing, actively assesses software applications for security weaknesses.  Such weaknesses may exist within the application’s code, configuration, or design, and allow the application to be exploited in a manner that will allow third parties to extract confidential and proprietary information.  

Application security testing is vital to good security practice, as it allows businesses to take control of their risks by identifying and reducing security concerns.  It provides the confidence that your organisational data is safe, and that your clients are protected in turn.

How does it work?

JDS provides an application security testing service that assesses your application’s controls, provides recommendations to remediate identified issues, and removes factors that could aid an attack upon your business.   We provide security testing for applications and environments specialising in web, mobile, and cloud applications.

JDS provides our security testing clients with reports containing both technical definitions of the security issues located and, importantly, the high-level business context for the vulnerability.  This includes scenario modelling in easily digestible language, enabling your business to make appropriate and timely business decisions and reduce your organisational risk profile.

A rigorous approach

JDS adopts the Open Web Application Security Project (OWASP) methodology for application security testing. This ensures all web, mobile, and cloud applications undergo a comprehensive assessment. All the findings and recommendations are made simple for organisations to digest and make informed decisions through the use of abuse cases, risk ratings, live exploit demonstrations, issue representation, and developer education.